Mac Users, Developers Reconciled to Security Threats
According to a security advisory updated Tuesday by Copenhagen-based security vendor Secunia Ltd., although the patch released by Apple on Friday prevents Web pages from calling the "help:" uniform resource identifier, it still remains possible to remotely mount disk images without a users permission.
By registering and executing an arbitrary URI handler, hackers could run code placed on the disk image. Secunia said it is possible to use this exploit with volumes mounted via the "disk:" URI handler, or via AFP (Apple File Protocol), FTP, or SMB protocols. Secunia rates this vulnerability as "extremely critical."
Although Apple has yet to make any public pronouncement about the newly-discovered vulnerabilities, it took the unusual step of issuing a press release after it released its last patch.
In the message, Phil Schiller, the companys senior vice president of worldwide product marketing, said: "Apple takes security very seriously and works quickly to address potential threats as we learn of themin this case, before there was any actual risk to our customers."
As yet, there have been no reports of anyone using the security holes in a malicious exploit.
"There are no computers without a list of vulnerabilities and Apple is no exception," said one IT manager of a large educational institution who requested anonymity. "Sun puts out patches every week. Apple has been responsive to security."
The administrator said he was less concerned over security for his Mac and Linux systems than for his Windows machines. The lack of exploits on the Mac platform, he said, showed that the vulnerabilities werent easy to exploit, and that malware authors looked for a larger audience for their creations.
"I suspect that theres not as much chance for bragging rights on OS X [from an exploit]. And its clear that they dont hate Apple like they hate Microsoft," he added.
Still, at the heart of the recent security issues appears to be the overall design of URI handling in Mac OS X. Some observers said the interface has focused on ease of use rather than security. In its advisory, Secunia charged that "the core of the problem seems to be the design of URI handling in Mac OS X. It is likely that many other URI handlers are affected in various ways."
Jason Harris, a programmer with Mac software developer Unsanity Inc., offered that "this is a rather large problem without an easy solution."
"Theres lots of overlap between useful applications of this functionality and malicious ones, meaning that Apple cant easily fix this without removing useful features from its operating system and from existing apps," Harris said.
Editors Note: David Morgenstern contributed to this report.